PrevntPrevnt

Legal

Data Processing Addendum

Last updated April 24, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between the customer (“Controller”) and Prevnt, Inc. (“Processor”) when Prevnt processes personal data on the Controller’s behalf in connection with the service. This is a draft pending counsel review. To execute a countersigned copy, email legal@prevnt.tech.

1. Definitions

Terms used but not defined here have the meaning in the GDPR (EU 2016/679), UK GDPR, and the CCPA/CPRA as applicable. “Agreement” means the subscription agreement or online terms in force between the parties.

2. Roles & scope

Controller is the controller; Processor processes personal data only on documented instructions from Controller (including via the service’s standard configuration). Processor will not process personal data for any other purpose without Controller’s prior written consent.

3. Subject-matter & duration

  • Subject-matter: provision of the Prevnt CMMS service.
  • Duration: the term of the Agreement plus 30 days for retrieval, then deletion.
  • Nature & purpose: hosting, analytics, support, and feature delivery as described in the Agreement.
  • Categories of data subjects: Controller’s employees, contractors, and end-users.
  • Categories of personal data: name, contact details, role, work-related activity (e.g. tickets assigned, completion timestamps).

4. Processor obligations

  • Process personal data only on Controller’s documented instructions.
  • Ensure personnel with access are bound by confidentiality obligations.
  • Implement technical and organizational measures consistent with Annex II (below), including encryption in transit and at rest, MFA, role-based access, audit logging, and incident response.
  • Notify Controller of any personal data breach affecting Controller’s data without undue delay and within 72 hours where feasible.
  • Assist Controller with data-subject requests, DPIAs, and regulator inquiries at Controller’s reasonable request.

5. Subprocessors

Controller authorizes Processor to engage subprocessors listed on our current subprocessor register (available from privacy@prevnt.tech). Processor will give at least 30 days’ prior notice of any additions or replacements and will flow down materially equivalent obligations. Controller may object on reasonable grounds.

6. International transfers

Where personal data originating in the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2 or 3 as applicable) and the UK IDTA / Addendum, incorporated by reference.

7. Audit

On reasonable request and no more than once per year (unless required by regulator), Processor will make available its latest SOC 2 Type II report and penetration test summary, and respond to a reasonable security questionnaire. On-site audits are reserved for documented regulator demand.

8. Deletion & return

Within 30 days of termination, Processor will delete or return all personal data, except where retention is required by law. Certified deletion is available on request.

9. Liability & order of precedence

Liability under this DPA is subject to the limitations in the Agreement. If there is a conflict between this DPA and the Agreement, the DPA controls with respect to personal-data processing.

Annex I — Description of processing

As described in sections 3 and 4 above. Roles: Controller is the data exporter; Processor is the data importer.

Annex II — Technical & organizational measures

  • TLS 1.2+ in transit; AES-256 at rest.
  • Role-based access controls with least-privilege defaults.
  • MFA for all production access.
  • Centralized audit logging with 12-month retention.
  • Written incident-response plan tested at least annually.
  • Background checks on personnel with production access.
  • Annual penetration test by an independent third party.